OpenShift 文档正在迁移,不久后将仅在 docs.redhat.com(所有 Red Hat 产品文档的中心)提供。立即体验 新的文档体验
  1. 文档
    2. history bug_report picture_as_pdf
×

使用网络策略配置多租户隔离

作为集群管理员,您可以配置网络策略以提供多租户网络隔离。

如本节所述配置网络策略可提供与以前版本的 OpenShift Container Platform 中 OpenShift SDN 的多租户模式类似的网络隔离。

使用网络策略配置多租户隔离

您可以配置项目以将其与其他项目命名空间中的 Pod 和服务隔离。

先决条件

  • 您的集群使用支持NetworkPolicy 对象的网络插件,例如 OVN-Kubernetes 网络插件,其中设置了mode: NetworkPolicy

  • 您已安装 OpenShift CLI (oc)。

  • 您已使用具有admin权限的用户登录到集群。

步骤

  1. 创建以下NetworkPolicy 对象

    1. 一个名为allow-from-openshift-ingress 的策略。

      $ cat << EOF| oc create -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          policy-group.network.openshift.io/ingress: ""
  podSelector: {}
  policyTypes:
  - Ingress
EOF

      policy-group.network.openshift.io/ingress: "" 是 OVN-Kubernetes 的首选命名空间选择器标签。

    2. 一个名为allow-from-openshift-monitoring 的策略

      $ cat << EOF| oc create -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-monitoring
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: monitoring
  podSelector: {}
  policyTypes:
  - Ingress
EOF

    3. 一个名为allow-same-namespace 的策略

      $ cat << EOF| oc create -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-same-namespace
spec:
  podSelector:
  ingress:
  - from:
    - podSelector: {}
EOF

    4. 一个名为allow-from-kube-apiserver-operator 的策略

      $ cat << EOF| oc create -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-kube-apiserver-operator
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-kube-apiserver-operator
      podSelector:
        matchLabels:
          app: kube-apiserver-operator
  policyTypes:
  - Ingress
EOF

      更多详情,请参见 新的kube-apiserver-operator webhook 控制器验证 webhook 的健康状况

  2. 可选:要确认网络策略是否存在于您当前的项目中,请输入以下命令

    $ oc describe networkpolicy
    示例输出
    Name:         allow-from-openshift-ingress
Namespace:    example1
Created on:   2020-06-09 00:28:17 -0400 EDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: network.openshift.io/policy-group: ingress
  Not affecting egress traffic
  Policy Types: Ingress


Name:         allow-from-openshift-monitoring
Namespace:    example1
Created on:   2020-06-09 00:29:57 -0400 EDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: network.openshift.io/policy-group: monitoring
  Not affecting egress traffic
  Policy Types: Ingress

后续步骤